I have seen Android malware delete and send SMS messages but this is the first time I saw an Android malware act as an SMS relay.

My colleagues and I were recently able to analyze a sample of an Android malware that uses an infected device as a proxy for sending and receiving messages. Unlike most Android-specific threats we have recently seen, this one does not piggyback on legitimate Android apps. Once installed, it displays a blank window for a split second then immediately closes it.

This malware installs a service called FlashService. It employs two receivers called FlashReceiver and SMSReceiver, which are respectively triggered after a device boots up and when it receives an SMS message. FlashReceiver, which runs after a device boots up, starts the FlashService.

Receivers are functions that are executed when a specific Intent is received. Think of an Intent simply as an event. When a device received an SMS message, its OS will broadcast this event, which triggers the execution of all of the functions that are supposed to run every time the said event occurs.

FlashService is responsible for allowing the device to communicate with its server. As mentioned, it runs once the device boots up and connects to a certain URL in order to download an .XML configuration file. The code of the .XML configuration file the malware receives at the time of writing is shown below.

Send Element

One interesting entry in the configuration file is the send element. The server currently does not put any information in it. However, when I looked into the malware’s code, it appears to accept a mobile number in the number attribute and a string in the text content.

What happens here is when the malware author encodes something like “This is an SMS message” in the configuration file, the malware will send the message “This is an SMS message” to that number. Any text contained in the said element will be used as the SMS body and the number in the number attribute will be the recipient.

However, this only sends SMS messages one way. In order to act as a relay, it should also be able to forward the SMS message when the recipient replies. This is where SMSReceiver comes in. SMSReceiver checks if the sender of the SMS message is the same as the one in its configuration file. If so, it will get the SMS body then send it to its server via the URL in the insms element in the configuration file. After posting, the SMS message is deleted so the user of the infected device will not see it.

Possible Motive

The way I see it, this malware may be used for three particular reasons. First, it can be used to abuse premium services. The malware author can command the backdoor to enroll the infected device in a specified premium service. The user will not have any idea that it has already been enrolled since the malware also deletes the SMS notifications for the said service.

Second, it can be used to spy on the targeted device. The malware author can set a specific number. Once an SMS message is received from that number, the SMS body is uploaded to its server.

Finally, it can be used as an SMS relay (like a proxy server for SMS messages). The malware author can send and receive SMS messages through the infected device.

How to Manually Check If Your Device Has Been Infected

Go to Settings > Applications > Running Services. Check for the existence of an application with FlashService as service and com.flashp as process.

If found, users can manually remove the malware from their devices by going to Settings > Applications > Manage Applications then uninstalling the said application.